GitLab Upgrade Alert - Follow up concerns
What / Why
Customers have voiced some concerns with the severity of the Critical Security Alert and when/why it is appearing. We anticipated some resistance due to the invasiveness of this change, however, it appears the Alert UI may be a bit overzealous as to when they appear.
Link to customer thread: #344682 (comment 1233579698)
Workarounds
- If on GitLab 15.7, you can disable version check. It is recommended to re-enable the version check once you upgrade to GitLab 15.8 so you still receive an indication if GitLab is out of date
- Alternatively, upgrading to GitLab 15.8 will remove the alert as the alert will be hidden behind a disabled feature flag check.
Understanding the GitLab Upgrade Alert UI suite
note: this breakdown assumes version check is enabled on an instance (by default) and target user is an Admin
1. GitLab Version Badge
UI Representation
Up to date | Update available | Update ASAP |
---|---|---|
![]() |
![]() |
![]() |
UI Location(s)
- Admin Dashboard
- Help Page
- Help Dropdown
When to appear
- Always
2. GitLab Critical Security Upgrade Banner Alert
UI Representation
![](/-/project/278964/uploads/aea09823178dc302b5647176452c84c6/Screen_Shot_2022-11-22_at_11.55.33_AM.png)
UI Location(s)
- Everywhere
When to appear
- If behind a
danger
level upgrade, always and non-dismissible
3. GitLab Critical Security Upgrade Modal
UI Representation
No Stable Versions or Details | Stable Versions but no Details | Both Stable Versions and Details |
---|---|---|
![]() |
![]() |
![]() |
UI Location(s)
- Everywhere
When to appear
- If behind a
danger
level upgrade, always and dismissible for 3 day periods
4. GitLab Version Check API
More information about this project: https://gitlab.com/gitlab-services/version-gitlab-com
How it works
A GitLab instance sends a request to this API to gather information in regards to their version vs the live GitLab version. There is logic to determine how sever of an upgrade they are behind.
There are 3 levels of response
- Up to date (
severity: 'success'
) - Update available (
severity: 'warning'
) - Update ASAP (
severity: 'danger'
)
This response is what powers the above UI elements.
Customer Issues
Consolidated below are the customer concerns as I have read and understood them
- The Critical Security Alert UI is appearing for Non-Critical Security Releases
- The Non-Dismissible Banner Alert is invasive for those not ready to upgrade (and need for upgrade is acknowledged by dismissing the Modal)
Proposal
Immediate fix ideas
- Patch release to fully disable the Critical Security Alert UI for now
- Allow Banner Alert to be dismissible for 3 days (same as Modal)
Future Ideas
- Create a differentiation between a Critical Security Release and Non-Critical Security Release in the Version Check API
- This will allow the UI to make the same differentiation and only show the Banner Alert and Modal when the releases are actually critical
- Consider keeping above idea of allowing the Banner Alert to be dismissible just like the Modal or possibly also hidden when the Modal is dismissed.